From b622948dbd9c62b391bb3626cad5ff350df20542 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Fri, 3 Jul 2026 08:33:09 -0700 Subject: [PATCH 1/7] fix(arc-dind): mount workspace correctly and unify artifact roots MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug A: The agent sees an empty workspace because dockerHostPathPrefix translates the workspace mount source to a non-existent path. With sysroot-stage active, the Docker daemon can see all needed paths via: - Shared work volume (/home/runner/_work/) for workspace & RUNNER_TEMP - Sysroot named volume for system binaries - Kernel VFS for /dev, /sys Remove dockerHostPathPrefix from the AWF config — it's unnecessary and harmful when sysroot provides all system paths. Bug B: The agent artifact upload spans two path roots (/tmp/gh-aw/ and ${{ runner.temp }}/gh-aw/), causing upload-artifact to compute '/' as the common ancestor. This creates a nested directory layout that breaks downstream artifact downloads (detection job can't find agent_output.json). Fix by: 1. Rewriting all /tmp/gh-aw/ artifact paths to ${{ runner.temp }}/gh-aw/ 2. Adding a consolidation step that copies /tmp/gh-aw/ contents to the runner.temp location before upload Fixes: gh-aw#34896 --- pkg/workflow/arc_dind_artifacts.go | 48 +++++++++++++++++++++++++ pkg/workflow/arc_dind_artifacts_test.go | 43 ++++++++++++++++++++++ pkg/workflow/awf_config.go | 17 +++++---- pkg/workflow/awf_config_test.go | 4 +-- pkg/workflow/compiler_yaml_main_job.go | 16 +++++++++ 5 files changed, 117 insertions(+), 11 deletions(-) create mode 100644 pkg/workflow/arc_dind_artifacts.go create mode 100644 pkg/workflow/arc_dind_artifacts_test.go diff --git a/pkg/workflow/arc_dind_artifacts.go b/pkg/workflow/arc_dind_artifacts.go new file mode 100644 index 00000000000..1f5e5d81481 --- /dev/null +++ b/pkg/workflow/arc_dind_artifacts.go @@ -0,0 +1,48 @@ +package workflow + +import ( + "fmt" + "strings" + + "github.com/github/gh-aw/pkg/constants" +) + +// rewriteTmpGhAwPathsForArcDind rewrites artifact paths that use /tmp/gh-aw/ to +// use ${{ runner.temp }}/gh-aw/ instead, so all paths share a single root for the +// artifact upload. This prevents upload-artifact from computing "/" as the common +// ancestor (which happens when paths span both /tmp/gh-aw/ and the runner.temp tree), +// causing a nested directory layout that breaks downstream artifact downloads. +func rewriteTmpGhAwPathsForArcDind(paths []string) []string { + result := make([]string, len(paths)) + for i, p := range paths { + if strings.HasPrefix(p, constants.TmpGhAwDirSlash) { + // /tmp/gh-aw/foo → ${{ runner.temp }}/gh-aw/foo + result[i] = constants.GhAwRootDir + "/" + strings.TrimPrefix(p, constants.TmpGhAwDirSlash) + } else if p == constants.TmpGhAwDir { + result[i] = constants.GhAwRootDir + } else { + result[i] = p + } + } + return result +} + +// generateArcDindArtifactConsolidationStep emits a workflow step that copies files +// from /tmp/gh-aw/ to ${{ runner.temp }}/gh-aw/ so the artifact upload has a single +// root directory. On ARC/DinD, agent output files (agent_output.json, safe_outputs.ndjson, +// aw-prompts/, patches, MCP logs) are written to /tmp/gh-aw/ during execution, but +// firewall logs are under ${{ runner.temp }}/gh-aw/. This step consolidates them. +func (c *Compiler) generateArcDindArtifactConsolidationStep(yaml *strings.Builder) { + yaml.WriteString(" - name: Consolidate artifacts for ARC/DinD\n") + yaml.WriteString(" if: always()\n") + yaml.WriteString(" shell: bash\n") + yaml.WriteString(" run: |\n") + // Use rsync-like cp to merge /tmp/gh-aw/ into ${RUNNER_TEMP}/gh-aw/ without + // clobbering existing files (firewall logs already there). The -a flag preserves + // permissions/timestamps, --no-clobber skips existing files. + yaml.WriteString(" # Consolidate /tmp/gh-aw/ into ${RUNNER_TEMP}/gh-aw/ for single-root artifact upload\n") + yaml.WriteString(" if [ -d /tmp/gh-aw ]; then\n") + fmt.Fprintf(yaml, " cp -a --no-clobber /tmp/gh-aw/. \"${RUNNER_TEMP}/gh-aw/\" 2>/dev/null || \\\n") + fmt.Fprintf(yaml, " cp -a /tmp/gh-aw/. \"${RUNNER_TEMP}/gh-aw/\" 2>/dev/null || true\n") + yaml.WriteString(" fi\n") +} diff --git a/pkg/workflow/arc_dind_artifacts_test.go b/pkg/workflow/arc_dind_artifacts_test.go new file mode 100644 index 00000000000..64f92d70480 --- /dev/null +++ b/pkg/workflow/arc_dind_artifacts_test.go @@ -0,0 +1,43 @@ +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestRewriteTmpGhAwPathsForArcDind(t *testing.T) { + t.Run("rewrites /tmp/gh-aw/ prefixed paths to runner.temp expression", func(t *testing.T) { + input := []string{ + "/tmp/gh-aw/agent_output.json", + "/tmp/gh-aw/safe_outputs.ndjson", + "/tmp/gh-aw/aw-prompts/prompt.txt", + "/tmp/gh-aw/mcp-logs/", + "/tmp/gh-aw/aw-*.patch", + } + result := rewriteTmpGhAwPathsForArcDind(input) + assert.Equal(t, "${{ runner.temp }}/gh-aw/agent_output.json", result[0]) + assert.Equal(t, "${{ runner.temp }}/gh-aw/safe_outputs.ndjson", result[1]) + assert.Equal(t, "${{ runner.temp }}/gh-aw/aw-prompts/prompt.txt", result[2]) + assert.Equal(t, "${{ runner.temp }}/gh-aw/mcp-logs/", result[3]) + assert.Equal(t, "${{ runner.temp }}/gh-aw/aw-*.patch", result[4]) + }) + + t.Run("preserves paths already using runner.temp expression", func(t *testing.T) { + input := []string{ + "${{ runner.temp }}/gh-aw/sandbox/firewall/logs/", + "${{ runner.temp }}/gh-aw/awf-config.json", + } + result := rewriteTmpGhAwPathsForArcDind(input) + assert.Equal(t, input, result) + }) + + t.Run("preserves unrelated paths", func(t *testing.T) { + input := []string{ + "/some/other/path", + "relative/path", + } + result := rewriteTmpGhAwPathsForArcDind(input) + assert.Equal(t, input, result) + }) +} diff --git a/pkg/workflow/awf_config.go b/pkg/workflow/awf_config.go index fd2c7083b2f..d0e3e4846e7 100644 --- a/pkg/workflow/awf_config.go +++ b/pkg/workflow/awf_config.go @@ -552,15 +552,14 @@ func BuildAWFConfigJSON(config AWFCommandConfig) (string, error) { container := &AWFContainerConfig{ ImageTag: awfImageTag, } - // For ARC/DinD topology, set dockerHostPathPrefix in config. - // AWF uses this to prefix bind-mount source paths so the DinD daemon can resolve - // runner filesystem paths from its separate mount namespace. - // The config file is written at runtime, so ${RUNNER_TEMP} can be preserved for - // shell expansion before AWF reads the JSON. - if isArcDindTopology(config.WorkflowData) { - container.DockerHostPathPrefix = awfArcDindRootPathExpr - awfConfigLog.Printf("Container section: dockerHostPathPrefix=%s (arc-dind topology)", awfArcDindRootPathExpr) - } + // NOTE: dockerHostPathPrefix is intentionally NOT set for arc-dind topology. + // With sysroot-stage active, the Docker daemon can access all needed paths: + // - Workspace & RUNNER_TEMP: on the shared work volume (/home/runner/_work/) + // - System binaries: provided by the sysroot named volume (not bind mounts) + // - Kernel VFS (/dev, /sys): daemon's own kernel + // Setting a prefix would incorrectly translate the workspace mount source to + // a non-existent path (e.g. /prefix/home/runner/_work/repo → empty dir), + // causing the agent to see an empty workspace. See gh-aw#34896. awfConfig.Container = container if awfImageTag != "" { awfConfigLog.Printf("Container section: image_tag=%s", awfImageTag) diff --git a/pkg/workflow/awf_config_test.go b/pkg/workflow/awf_config_test.go index b461f726106..c6dcd3bc247 100644 --- a/pkg/workflow/awf_config_test.go +++ b/pkg/workflow/awf_config_test.go @@ -132,7 +132,7 @@ func TestBuildAWFConfigJSON(t *testing.T) { assert.Contains(t, jsonStr, `"topologyAttach":["awmg-mcpg"]`, "should attach MCP gateway container to awf-net") }) - t.Run("runner topology arc-dind emits runner section and container.dockerHostPathPrefix", func(t *testing.T) { + t.Run("runner topology arc-dind emits runner section without dockerHostPathPrefix", func(t *testing.T) { config := AWFCommandConfig{ EngineName: "copilot", AllowedDomains: "github.com", @@ -149,7 +149,7 @@ func TestBuildAWFConfigJSON(t *testing.T) { require.NoError(t, err, "BuildAWFConfigJSON should not return an error") assert.Contains(t, jsonStr, `"runner":{"topology":"arc-dind"}`, "should emit runner topology") - assert.Contains(t, jsonStr, `"dockerHostPathPrefix":"${RUNNER_TEMP}/gh-aw"`, "should emit dockerHostPathPrefix for arc-dind") + assert.NotContains(t, jsonStr, `"dockerHostPathPrefix"`, "should NOT emit dockerHostPathPrefix for arc-dind (sysroot handles path visibility)") assert.Contains(t, jsonStr, `"proxyLogsDir":"${RUNNER_TEMP}/gh-aw/sandbox/firewall/logs"`, "should emit arc-dind proxyLogsDir") assert.Contains(t, jsonStr, `"auditDir":"${RUNNER_TEMP}/gh-aw/sandbox/firewall/audit"`, "should emit arc-dind auditDir") }) diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 8e8d1e8df54..22f322a8a9e 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -728,6 +728,13 @@ func (c *Compiler) collectArtifactPaths(data *WorkflowData, engine CodingAgentEn } } + // For ARC/DinD, rewrite all /tmp/gh-aw/ paths to ${{ runner.temp }}/gh-aw/ so + // the artifact upload has a single root. A consolidation step (emitted before upload) + // copies the files from /tmp/gh-aw/ to the runner.temp location. See gh-aw#34896 Bug B. + if isArcDindTopology(data) { + paths = rewriteTmpGhAwPathsForArcDind(paths) + } + return paths } @@ -840,6 +847,15 @@ func (c *Compiler) generatePostAgentCollectionAndUpload(yaml *strings.Builder, d // Add post-steps (if any) after AI execution c.generatePostSteps(yaml, data) + // For ARC/DinD, consolidate all artifact files under ${{ runner.temp }}/gh-aw/ + // before upload. Without this, upload-artifact receives paths from two roots + // (/tmp/gh-aw/ and ${{ runner.temp }}/gh-aw/), computes "/" as the common ancestor, + // and creates a nested directory layout that breaks downstream artifact downloads. + // See gh-aw#34896 Bug B. + if isArcDindTopology(data) { + c.generateArcDindArtifactConsolidationStep(yaml) + } + // Generate single unified artifact upload with all collected paths. // In workflow_call context, apply the per-invocation prefix to avoid name clashes. agentArtifactPrefix := artifactPrefixExprForDownstreamJob(data) From 2ab7dd27202daf8c87f2c996b7d9a72609d9e845 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Fri, 3 Jul 2026 08:37:54 -0700 Subject: [PATCH 2/7] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- pkg/workflow/arc_dind_artifacts.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/workflow/arc_dind_artifacts.go b/pkg/workflow/arc_dind_artifacts.go index 1f5e5d81481..b679240dbc1 100644 --- a/pkg/workflow/arc_dind_artifacts.go +++ b/pkg/workflow/arc_dind_artifacts.go @@ -42,6 +42,7 @@ func (c *Compiler) generateArcDindArtifactConsolidationStep(yaml *strings.Builde // permissions/timestamps, --no-clobber skips existing files. yaml.WriteString(" # Consolidate /tmp/gh-aw/ into ${RUNNER_TEMP}/gh-aw/ for single-root artifact upload\n") yaml.WriteString(" if [ -d /tmp/gh-aw ]; then\n") + yaml.WriteString(" mkdir -p \"${RUNNER_TEMP}/gh-aw\"\n") fmt.Fprintf(yaml, " cp -a --no-clobber /tmp/gh-aw/. \"${RUNNER_TEMP}/gh-aw/\" 2>/dev/null || \\\n") fmt.Fprintf(yaml, " cp -a /tmp/gh-aw/. \"${RUNNER_TEMP}/gh-aw/\" 2>/dev/null || true\n") yaml.WriteString(" fi\n") From 5965706fb0537e89192133c2b20f89198f30281c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 3 Jul 2026 15:44:44 +0000 Subject: [PATCH 3/7] Add changeset --- .changeset/patch-fix-arc-dind-artifact-roots.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-fix-arc-dind-artifact-roots.md diff --git a/.changeset/patch-fix-arc-dind-artifact-roots.md b/.changeset/patch-fix-arc-dind-artifact-roots.md new file mode 100644 index 00000000000..bdfc163ce5e --- /dev/null +++ b/.changeset/patch-fix-arc-dind-artifact-roots.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Fix ARC/DinD workflow artifact roots so agent outputs and firewall logs upload with a single directory layout. From 1208228f2b561fbb337ffe9e65f016b29bd44556 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 3 Jul 2026 17:02:16 +0000 Subject: [PATCH 4/7] fix(arc-dind): use strings.CutPrefix to satisfy modernize linter Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/workflow/arc_dind_artifacts.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/workflow/arc_dind_artifacts.go b/pkg/workflow/arc_dind_artifacts.go index b679240dbc1..62723302b3f 100644 --- a/pkg/workflow/arc_dind_artifacts.go +++ b/pkg/workflow/arc_dind_artifacts.go @@ -15,9 +15,9 @@ import ( func rewriteTmpGhAwPathsForArcDind(paths []string) []string { result := make([]string, len(paths)) for i, p := range paths { - if strings.HasPrefix(p, constants.TmpGhAwDirSlash) { + if rest, ok := strings.CutPrefix(p, constants.TmpGhAwDirSlash); ok { // /tmp/gh-aw/foo → ${{ runner.temp }}/gh-aw/foo - result[i] = constants.GhAwRootDir + "/" + strings.TrimPrefix(p, constants.TmpGhAwDirSlash) + result[i] = constants.GhAwRootDir + "/" + rest } else if p == constants.TmpGhAwDir { result[i] = constants.GhAwRootDir } else { From 40547dc8e111f45d50a12c9558b1acbafb1ff2cc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 5 Jul 2026 12:37:05 +0000 Subject: [PATCH 5/7] fix(test): update pr-sous-chef contract test to match current workflow (process all PRs) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- pkg/cli/pr_sous_chef_workflow_contract_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cli/pr_sous_chef_workflow_contract_test.go b/pkg/cli/pr_sous_chef_workflow_contract_test.go index 6d64e884d3a..c4d99665dac 100644 --- a/pkg/cli/pr_sous_chef_workflow_contract_test.go +++ b/pkg/cli/pr_sous_chef_workflow_contract_test.go @@ -27,7 +27,7 @@ func TestPRSousChefWorkflowAddCommentTargetContract(t *testing.T) { assert.Contains(t, text, "Never emit `add_comment` without a numeric target field", "Workflow must forbid targetless add_comment items") assert.Contains(t, text, "pr_number 12345", "Workflow should include a concrete add_comment pr_number example") assert.Contains(t, text, "include an explicit unresolved-reviews list", "Workflow should require explicit unresolved review listing in nudge comments") - assert.Contains(t, text, "Process at most **5 PRs** per run.", "Workflow should cap per-run PR processing to 5") + assert.Contains(t, text, "Process all eligible PRs per run.", "Workflow should process all eligible PRs per run") assert.Contains(t, text, "Make at most 8 tool calls total.", "Sub-agent should have a hard tool-call budget") assert.Contains(t, text, "model: sonnet", "Sub-agent should use a Sonnet model alias") assert.Contains(t, text, "skip_reason: \"sub_agent_error\"", "Workflow should skip failed sub-agent responses without retry") From e36b8787b17b5b5a044eae099ce990f7fd8602b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 5 Jul 2026 16:21:02 +0000 Subject: [PATCH 6/7] =?UTF-8?q?fix(pr-sous-chef):=20sync=20.md=20source=20?= =?UTF-8?q?with=20compiled=20behavior=20=E2=80=94=20process=20all=20eligib?= =?UTF-8?q?le=20PRs=20per=20run?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/pr-sous-chef.lock.yml | 25 +++++++++++++------------ .github/workflows/pr-sous-chef.md | 2 +- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 32fa58e545f..327edaf558b 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1,15 +1,15 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b333149840d79d1d58a2c70281eb407382b2b02e79d32fb4a5302c603876ffce","body_hash":"38aa359527a578c3b9d772db783746d644dba8786bae10580d2d4859ad8ef875","strict":true,"agent_id":"pi","agent_model":"copilot/gpt-5.4","engine_versions":{"pi":"0.80.3"}} +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"b333149840d79d1d58a2c70281eb407382b2b02e79d32fb4a5302c603876ffce","body_hash":"b1447c0923f6d8d4a154525879e363eccb229839c877241a5757097e7bdf1436","strict":true,"agent_id":"pi","agent_model":"copilot/gpt-5.4","engine_versions":{"pi":"0.80.3"}} # gh-aw-manifest: {"version":1,"secrets":["AWI_MAINTENANCE_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.22","digest":"sha256:55f06588411008b7148eb64b8dfe28602a0cce3675b36c6b190b54aca138468e","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.22@sha256:55f06588411008b7148eb64b8dfe28602a0cce3675b36c6b190b54aca138468e"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.22","digest":"sha256:afb9ff9140b17d38871dfb9dbac5ff8689ea634c2f91c435da2825192d4881c1","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.22@sha256:afb9ff9140b17d38871dfb9dbac5ff8689ea634c2f91c435da2825192d4881c1"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.22","digest":"sha256:e23e1604241f579b418e6522d938285b57ada31bc27742a65c90ee2250b1755c","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.22@sha256:e23e1604241f579b418e6522d938285b57ada31bc27742a65c90ee2250b1755c"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.22","digest":"sha256:3cdcc1e2b4b4fe602ba69fd3e21aac7ac512d5c1fce24df4ce69dc4f98164b59","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.22@sha256:3cdcc1e2b4b4fe602ba69fd3e21aac7ac512d5c1fce24df4ce69dc4f98164b59"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # -# ___ _ _ -# / _ \ | | (_) -# | |_| | __ _ ___ _ __ | |_ _ ___ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ # | _ |/ _` |/ _ \ '_ \| __| |/ __| -# | | | | (_| | __/ | | | |_| | (__ +# | | | | (_| | __/ | | | |_| | (__ # \_| |_/\__, |\___|_| |_|\__|_|\___| # __/ | -# _ _ |___/ +# _ _ |___/ # | | | | / _| | # | | | | ___ _ __ _ __| |_| | _____ ____ # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| @@ -363,7 +363,7 @@ jobs: authentication will not succeed. If you encounter credential prompts or authentication errors, stop immediately and report the limitation rather than spending turns trying to work around it. - + GH_AW_PROMPT_1007377445313f3f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/cli_proxy_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then @@ -409,9 +409,9 @@ jobs: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); - + const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs'); - + // Call the substitution function return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, @@ -1058,7 +1058,7 @@ jobs: run: | set -eo pipefail mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config" - + # Export gateway environment variables for MCP config and gateway script export MCP_GATEWAY_PORT="8080" export MCP_GATEWAY_DOMAIN="awmg-mcpg" @@ -1070,7 +1070,7 @@ jobs: mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" export DEBUG="*" - + export GH_AW_ENGINE="pi" export GH_AW_MCP_CLI_SERVERS='["safeoutputs"]' MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0') @@ -1082,7 +1082,7 @@ jobs: esac DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' - + GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { @@ -2143,3 +2143,4 @@ jobs: sparse-checkout-cone-mode: true clean: false persist-credentials: false + diff --git a/.github/workflows/pr-sous-chef.md b/.github/workflows/pr-sous-chef.md index f3122cbb0f5..f726d3db6cc 100644 --- a/.github/workflows/pr-sous-chef.md +++ b/.github/workflows/pr-sous-chef.md @@ -255,7 +255,7 @@ When this workflow is triggered by the `/souschef` slash command on a PR comment 1. Read `/tmp/gh-aw/agent/pr-sous-chef-candidates-compact.json` first. 2. If `prs` is empty, create the run-report issue (see **Run summary** below) and stop. If `create_issue` is unavailable, fall back to `noop` with the message `"processed=0; nudged=0; no eligible PRs"` and stop. 3. Process PRs in `updatedAt` descending order. -4. Process at most **5 PRs** per run. +4. Process all eligible PRs per run. 5. Use the `pr-processor` sub-agent for each PR; pass only the PR number and compact context. 6. If a `pr-processor` call returns non-JSON or an error, record `{pr_number: , skip_reason: "sub_agent_error"}` in the `skipped` array of the run-summary issue payload and move to the next PR without retrying. 7. Do not fetch full PR diffs or large file lists unless absolutely required for a skip decision. From 46e705968009189be5e2d58116d333b303a61c88 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 5 Jul 2026 16:46:43 +0000 Subject: [PATCH 7/7] style(pr-sous-chef): strip trailing whitespace from lock file (make fmt) Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/pr-sous-chef.lock.yml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 327edaf558b..368310866cb 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -2,14 +2,14 @@ # gh-aw-manifest: {"version":1,"secrets":["AWI_MAINTENANCE_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/cache/save","sha":"55cc8345863c7cc4c66a329aec7e433d2d1c52a9","version":"v6.1.0"},{"repo":"actions/checkout","sha":"9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0","version":"v7.0.0"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"924ae3a1cded613372ab5595356fb5720e22ba16","version":"v6.5.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.22","digest":"sha256:55f06588411008b7148eb64b8dfe28602a0cce3675b36c6b190b54aca138468e","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.22@sha256:55f06588411008b7148eb64b8dfe28602a0cce3675b36c6b190b54aca138468e"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.22","digest":"sha256:afb9ff9140b17d38871dfb9dbac5ff8689ea634c2f91c435da2825192d4881c1","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.22@sha256:afb9ff9140b17d38871dfb9dbac5ff8689ea634c2f91c435da2825192d4881c1"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.22","digest":"sha256:e23e1604241f579b418e6522d938285b57ada31bc27742a65c90ee2250b1755c","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.22@sha256:e23e1604241f579b418e6522d938285b57ada31bc27742a65c90ee2250b1755c"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.22","digest":"sha256:3cdcc1e2b4b4fe602ba69fd3e21aac7ac512d5c1fce24df4ce69dc4f98164b59","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.22@sha256:3cdcc1e2b4b4fe602ba69fd3e21aac7ac512d5c1fce24df4ce69dc4f98164b59"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.33","digest":"sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.33@sha256:f0e1f1d562f01e737f3ef125cb4d7057ff87a68a97927f5ea9fd6d3f5091da06"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.5.0","digest":"sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4","pinned_image":"ghcr.io/github/github-mcp-server:v1.5.0@sha256:e25564dccc9110a70a77b9df560cbde11aa392fcb5f08b9abe5c4ebc6d146ea4"}]} # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md # -# ___ _ _ -# / _ \ | | (_) -# | |_| | __ _ ___ _ __ | |_ _ ___ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ # | _ |/ _` |/ _ \ '_ \| __| |/ __| -# | | | | (_| | __/ | | | |_| | (__ +# | | | | (_| | __/ | | | |_| | (__ # \_| |_/\__, |\___|_| |_|\__|_|\___| # __/ | -# _ _ |___/ +# _ _ |___/ # | | | | / _| | # | | | | ___ _ __ _ __| |_| | _____ ____ # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| @@ -363,7 +363,7 @@ jobs: authentication will not succeed. If you encounter credential prompts or authentication errors, stop immediately and report the limitation rather than spending turns trying to work around it. - + GH_AW_PROMPT_1007377445313f3f_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/cli_proxy_with_safeoutputs_prompt.md" if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then @@ -409,9 +409,9 @@ jobs: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io, getOctokit); - + const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs'); - + // Call the substitution function return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, @@ -1058,7 +1058,7 @@ jobs: run: | set -eo pipefail mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config" - + # Export gateway environment variables for MCP config and gateway script export MCP_GATEWAY_PORT="8080" export MCP_GATEWAY_DOMAIN="awmg-mcpg" @@ -1070,7 +1070,7 @@ jobs: mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" export DEBUG="*" - + export GH_AW_ENGINE="pi" export GH_AW_MCP_CLI_SERVERS='["safeoutputs"]' MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0') @@ -1082,7 +1082,7 @@ jobs: esac DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network bridge -p 127.0.0.1:'"${MCP_GATEWAY_PORT}"':'"${MCP_GATEWAY_PORT}"' --name awmg-mcpg --add-host host.docker.internal:host-gateway --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_POLICY_ALLOW_CREATE_PULL_REQUEST -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e RUNNER_TEMP -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw -v '"${RUNNER_TEMP}"'/gh-aw/safeoutputs:'"${RUNNER_TEMP}"'/gh-aw/safeoutputs:rw ghcr.io/github/gh-aw-mcpg:v0.3.33' - + GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) cat << GH_AW_MCP_CONFIG_ce22edf57df3e804_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { @@ -2143,4 +2143,3 @@ jobs: sparse-checkout-cone-mode: true clean: false persist-credentials: false -